write-eventlog does not write to application log (after register the prefered source)

Question

I try to write to eventlog "application". I used a ScriptingGuy-Tutorial. As described in the blog, I register the source "ScS" with the following command in a "run as administrator"-Powershell: New-EventLog -logname Application -source "ScS"

I do not receive an error or any other feedback. In the registry I can see the source in the path

HKLM\System\CurrentControlSet\Services\EventLog\Application\ScS  

After that, I try to write a event:

write-eventlog -logname Application -Source "ScS" -EntryType Information -EventId 01 -Message "Test"

I do not receive an error. But it does not write the event. I don't see it in eventvwr nor in the shell, using get-eventlog -LogName Application -Source "ScS"

I use Win 8.1 Pro (German Language) with Powershell 4.0. Hope you can show me my mistake...

Answer 1

You are loosing the fact that the logname in the first call is the name of the log you whant to create "Application" is an existing log.

Here is an example (PowerShell V2 has its own cmdlets) :

# List of logs
Get-EventLog -list

# Creating your own log
New-EventLog -LogName "SlxScripting" -Source "MaSource"

# List of logs
Get-EventLog -list

# Writting in your own log
Write-EventLog -LogName "SlxScripting" -EventId 12 `
               -Message "Mon Message" 
               -Source "MaSource" -EntryType Warning

# Reading (consuming) in your own log
Get-EventLog -LogName "SlxScripting"  

# Suppressing your log (if needed)
Remove-EventLog -LogName "SlxScripting"

Answer 2

I had the same issue on Server 2012 R2. As shown in the linked Scripting Guy tutorial, it should be possible to add a Source to the existing Application log--no need to create your own log.

I found a hint in this StackOverflow answer: stop and restart the Windows Event Log service. Once I did that, Write-EventLog started creating events in the Application event log. I also had to re-launch Event Viewer to get rid of some warnings like "Description cannot be found". According to the bottom of this article, this is due to Event Viewer caching. Others like this answer suggest just restarting the computer.

Note that restarting the service is not required in Windows 10. It seems this is a Windows 8.1 / 2012 R2 bug.